【破文标题】:Multi desktop V3.00 注册算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:Multi desktop V3.00
【软件大小】:528 KB
【软件语言】:英文
【软件类别】:国外软件 / 共享版 / 桌面工具
【整理时间】:2005-10-27
【开 发 商】:http://www.8848soft.com/
【下载地址】:http://www.8848soft.com/d1/multidesktop_setup.exe
【软件简介】:Multi Desktop 是一个非常不错的虚拟桌面管理软件!支持4个虚拟桌面;支持为各个虚拟桌面建立自己的图标、名字、壁纸,通过拖放操作将窗口在虚拟桌面之间移动;支持使用快捷键在虚拟桌面之间切换;支持为虚拟桌面选择壁纸风格。
【保护方式】:注册码 + 启动NAG + 15天试用限制
【编译语言】:Microsoft Visual C++ 6.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-10-29
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
【破解过程】:
侦测:用PEiD查壳,无壳,Microsoft Visual C++ 6.0 编译。
试探:运行主程序注册,输入试炼码,确认!程序提示:"Registration failed, please check the code and try again!"
下药:Ollydbg载入主程序,命令下断:bpx MessageBoxA,回车,F9运行,输入试炼信息:
*************
试炼信息 **************
Registered name
:KuNgBiM
Registered code
:1111-2222-3333-4444
*************************************
0041CB34 51
push ecx
0041CB35 FF15 2CD34200
call dword ptr ds:[<&USER32.MessageBoxA>]
; 这里中断,Alt+F9返回!
0041CB3B 5E
pop esi
0041CB3C C2 0C00
retn 0C
........
返回到:
00409E60 64:A1 00000000
mov eax,
dword ptr fs:[0]
; 这里F2下断!Ctrl+F2重新加载程序!
00409E66 6A FF
push -1
00409E68 68 68BD4200
push MultiDes.0042BD68
00409E6D 50
push eax
00409E6E 64:8925 0000000>
mov dword ptr fs:[0],
esp
00409E75 83EC 14
sub esp,14
00409E78 53
push ebx
00409E79 55
push ebp
00409E7A 56
push esi
00409E7B 8BF1
mov esi,
ecx
00409E7D 57
push edi
00409E7E 8B86 70010000
mov eax,
dword ptr ds:[
esi+170]
00409E84 83F8 02
cmp eax,2
00409E87 0F8F E8010000
jg MultiDes.0040A075
00409E8D 40
inc eax
00409E8E 6A 01
push 1
00409E90 8986 70010000
mov dword ptr ds:[
esi+170],
eax
00409E96 E8 A2350100
call MultiDes.0041D43D
00409E9B 8D86 60010000
lea eax,
dword ptr ds:[
esi+160]
00409EA1 8DBE 5C010000
lea edi,
dword ptr ds:[
esi+15C]
00409EA7 50
push eax
00409EA8 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
00409EAC 57
push edi
00409EAD 51
push ecx
00409EAE E8 154D0100
call MultiDes.0041EBC8
00409EB3 8D96 64010000
lea edx,
dword ptr ds:[
esi+164]
00409EB9 33DB
xor ebx,
ebx
00409EBB 52
push edx
00409EBC 50
push eax
00409EBD 8D4424 1C
lea eax,
dword ptr ss:[
esp+1C]
00409EC1 895C24 34
mov dword ptr ss:[
esp+34],
ebx
00409EC5 50
push eax
00409EC6 E8 FD4C0100
call MultiDes.0041EBC8
00409ECB 8D8E 68010000
lea ecx,
dword ptr ds:[
esi+168]
00409ED1 8D5424 10
lea edx,
dword ptr ss:[
esp+10]
00409ED5 51
push ecx
00409ED6 50
push eax
00409ED7 52
push edx
00409ED8 C64424 38 01
mov byte ptr ss:[
esp+38],1
00409EDD E8 E64C0100
call MultiDes.0041EBC8
00409EE2 50
push eax
00409EE3 8BCF
mov ecx,
edi
00409EE5 C64424 30 02
mov byte ptr ss:[
esp+30],2
00409EEA E8 E34B0100
call MultiDes.0041EAD2
00409EEF 8D4C24 10
lea ecx,
dword ptr ss:[
esp+10]
00409EF3 C64424 2C 01
mov byte ptr ss:[
esp+2C],1
00409EF8 E8 E84A0100
call MultiDes.0041E9E5
00409EFD 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00409F01 885C24 2C
mov byte ptr ss:[
esp+2C],
bl
00409F05 E8 DB4A0100
call MultiDes.0041E9E5
00409F0A 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
00409F0E C74424 2C FFFFF>
mov dword ptr ss:[
esp+2C],-1
00409F16 E8 CA4A0100
call MultiDes.0041E9E5
00409F1B 68 90C54300
push MultiDes.0043C590
00409F20 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00409F24 E8 2A4B0100
call MultiDes.0041EA53
00409F29 8DAE 58010000
lea ebp,
dword ptr ds:[
esi+158]
00409F2F 8D4424 18
lea eax,
dword ptr ss:[
esp+18]
00409F33 BB 03000000
mov ebx,3
00409F38 55
push ebp
00409F39 50
push eax
00409F3A B9 88C64300
mov ecx,MultiDes.0043C688
00409F3F 895C24 34
mov dword ptr ss:[
esp+34],
ebx
00409F43 E8 D8F4FFFF
call MultiDes.00409420
; ★用户名检测CALL★F7跟进
00409F48 50
push eax
00409F49 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00409F4D C64424 30 04
mov byte ptr ss:[
esp+30],4
00409F52 E8 7B4B0100
call MultiDes.0041EAD2
00409F57 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
00409F5B 885C24 2C
mov byte ptr ss:[
esp+2C],
bl
00409F5F E8 814A0100
call MultiDes.0041E9E5
; 取用户名前2位转为大写后与“wfeewwf3deda”相连
00409F64 8B4424 10
mov eax,
dword ptr ss:[
esp+10]
; ASCII "KUwfeewwf3deda"
00409F68 8B48 F8
mov ecx,
dword ptr ds:[
eax-8]
; 得到组合后的计算名长度,ds:[009138C8]=0000000E
00409F6B 51
push ecx ; ecx=0000000E,(14位)
00409F6C 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
00409F70 50
push eax ; 计算名压栈,ASCII "KUwfeewwf3deda"
00409F71 51
push ecx
00409F72 E8 59C9FFFF
call MultiDes.004068D0
; ★重要CALL★F7跟进
00409F77 83C4 0C
add esp,0C
00409F7A 50
push eax
00409F7B 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00409F7F C64424 30 05
mov byte ptr ss:[
esp+30],5
00409F84 E8 494B0100
call MultiDes.0041EAD2
00409F89 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00409F8D 885C24 2C
mov byte ptr ss:[
esp+2C],
bl
00409F91 E8 4F4A0100
call MultiDes.0041E9E5
00409F96 8D5424 1C
lea edx,
dword ptr ss:[
esp+1C]
00409F9A 6A 10
push 10
00409F9C 52
push edx
00409F9D 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
00409FA1 E8 4CE00000
call MultiDes.00417FF2
00409FA6 50
push eax
00409FA7 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00409FAB C64424 30 06
mov byte ptr ss:[
esp+30],6
00409FB0 E8 1D4B0100
call MultiDes.0041EAD2
00409FB5 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
00409FB9 885C24 2C
mov byte ptr ss:[
esp+2C],
bl
00409FBD E8 234A0100
call MultiDes.0041E9E5
; 获得用户输入的假注册码
00409FC2 8B07
mov eax,
dword ptr ds:[
edi]
00409FC4 50
push eax ; 假码压栈,ASCII "1111222233334444"
00409FC5 8B4424 14
mov eax,
dword ptr ss:[
esp+14]
; 取出真注册码,准备与假码比较!
00409FC9 50
push eax ; 真码压栈,ASCII "687fcda714009cf4"
00409FCA E8 653E0000
call MultiDes.0040DE34
; ★真假码经典比较CALL★
00409FCF 83C4 08
add esp,8
00409FD2 85C0
test eax,
eax
00409FD4 75 53
jnz short MultiDes.0040A029
; 若不相等,跳走则Game Over!
00409FD6 83CB FF
or ebx,FFFFFFFF
00409FD9 8D4C24 10
lea ecx,
dword ptr ss:[
esp+10]
00409FDD 895C24 2C
mov dword ptr ss:[
esp+2C],
ebx
00409FE1 E8 FF490100
call MultiDes.0041E9E5
00409FE6 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
00409FEA 51
push ecx
00409FEB B9 88C64300
mov ecx,MultiDes.0043C688
00409FF0 E8 BBF5FFFF
call MultiDes.004095B0
00409FF5 8B00
mov eax,
dword ptr ds:[
eax]
00409FF7 6A 40
push 40
00409FF9 50
push eax
00409FFA 68 9C874300
push MultiDes.0043879C
; ASCII "Registration finished, thank for your registration!"
00409FFF 8BCE
mov ecx,
esi
0040A001 C74424 38 07000>
mov dword ptr ss:[
esp+38],7
0040A009 E8 FF2A0100
call MultiDes.0041CB0D
0040A00E 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
0040A012 895C24 2C
mov dword ptr ss:[
esp+2C],
ebx
0040A016 E8 CA490100
call MultiDes.0041E9E5
0040A01B 57
push edi
0040A01C 55
push ebp
0040A01D B9 88C64300
mov ecx,MultiDes.0043C688
0040A022 E8 99F2FFFF
call MultiDes.004092C0
0040A027 EB 45
jmp short MultiDes.0040A06E
0040A029 83CF FF
or edi,FFFFFFFF
0040A02C 8D4C24 10
lea ecx,
dword ptr ss:[
esp+10]
0040A030 897C24 2C
mov dword ptr ss:[
esp+2C],
edi
0040A034 E8 AC490100
call MultiDes.0041E9E5
0040A039 8D5424 20
lea edx,
dword ptr ss:[
esp+20]
0040A03D B9 88C64300
mov ecx,MultiDes.0043C688
0040A042 52
push edx
0040A043 E8 68F5FFFF
call MultiDes.004095B0
0040A048 8B00
mov eax,
dword ptr ds:[
eax]
0040A04A 6A 10
push 10
0040A04C 50
push eax
0040A04D 68 60874300
push MultiDes.00438760
; ASCII "Registration failed, please check the code and try again!"
0040A052 8BCE
mov ecx,
esi
0040A054 C74424 38 08000>
mov dword ptr ss:[
esp+38],8
0040A05C E8 AC2A0100
call MultiDes.0041CB0D
0040A061 8D4C24 20
lea ecx,
dword ptr ss:[
esp+20]
; 返回到这里,向上找到可以处下断!
0040A065 897C24 2C
mov dword ptr ss:[
esp+2C],
edi
0040A069 E8 77490100
call MultiDes.0041E9E5
0040A06E 8BCE
mov ecx,
esi
0040A070 E8 500D0100
call MultiDes.0041ADC5
0040A075 8B4C24 24
mov ecx,
dword ptr ss:[
esp+24]
0040A079 5F
pop edi
0040A07A 5E
pop esi
0040A07B 5D
pop ebp
0040A07C 5B
pop ebx
0040A07D 64:890D 0000000>
mov dword ptr fs:[0],
ecx
0040A084 83C4 20
add esp,20
0040A087 C3
retn ; 返回程序界面
........
=========================
跟进 00409F43 E8 D8F4FFFF call MultiDes.00409420 =========================
00409420 6A FF
push -1
; 跟进来到这里
00409422 68 8FBB4200
push MultiDes.0042BB8F
00409427 64:A1 00000000
mov eax,
dword ptr fs:[0]
0040942D 50
push eax
0040942E 64:8925 0000000>
mov dword ptr fs:[0],
esp
00409435 83EC 0C
sub esp,0C
00409438 8B4424 20
mov eax,
dword ptr ss:[
esp+20]
0040943C 53
push ebx
0040943D 56
push esi
0040943E 50
push eax
0040943F 8D4C24 2C
lea ecx,
dword ptr ss:[
esp+2C]
00409443 C74424 14 00000>
mov dword ptr ss:[
esp+14],0
0040944B E8 0A530100
call MultiDes.0041E75A
00409450 BB 01000000
mov ebx,1
00409455 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
00409459 895C24 1C
mov dword ptr ss:[
esp+1C],
ebx
0040945D E8 EDEF0000
call MultiDes.0041844F
; 取用户名
00409462 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
; ASCII "KuNgBiM"
00409466 E8 98EF0000
call MultiDes.00418403
0040946B 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
0040946F E8 125A0100
call MultiDes.0041EE86
; 用户名所有字符由小写转为大写
00409474 6A 42
push 42
; ASCII "KUNGBIM"
00409476 6A 2E
push 2E
00409478 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
; 转换完毕后,重新赋值给ecx
0040947C E8 34EB0000
call MultiDes.00417FB5
00409481 6A 42
push 42
00409483 6A 20
push 20
00409485 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
00409489 E8 27EB0000
call MultiDes.00417FB5
0040948E 8B4C24 28
mov ecx,
dword ptr ss:[
esp+28]
; 取转换后的用户名,ASCII "KUNGBIM"
00409492 8B41 F8
mov eax,
dword ptr ds:[
ecx-8]
; 取用户名长度,ds:[009139B8]=00000007
00409495 83F8 02
cmp eax,2
; 用户名长度与2比较
00409498 7E 4C
jle short MultiDes.004094E6
; 若用户名长度小于或等于2就跳向自定义用户名
0040949A 8D5424 0C
lea edx,
dword ptr ss:[
esp+C]
0040949E 6A 02
push 2
; (取用户名个数)2入栈
004094A0 52
push edx
004094A1 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
; 取前2位转换后的用户名,ASCII "KUNGBIM"
004094A5 E8 48EB0000
call MultiDes.00417FF2
; 取固定字符串
004094AA 68 44844300
push MultiDes.00438444
; ASCII "wfeewwf3deda"
004094AF 50
push eax
004094B0 8D4424 10
lea eax,
dword ptr ss:[
esp+10]
004094B4 C64424 24 02
mov byte ptr ss:[
esp+24],2
004094B9 50
push eax
004094BA E8 6F570100
call MultiDes.0041EC2E
004094BF 50
push eax
004094C0 8D4C24 2C
lea ecx,
dword ptr ss:[
esp+2C]
004094C4 C64424 20 03
mov byte ptr ss:[
esp+20],3
004094C9 E8 04560100
call MultiDes.0041EAD2
004094CE 8D4C24 08
lea ecx,
dword ptr ss:[
esp+8]
004094D2 C64424 1C 02
mov byte ptr ss:[
esp+1C],2
004094D7 E8 09550100
call MultiDes.0041E9E5
004094DC 885C24 1C
mov byte ptr ss:[
esp+1C],
bl
004094E0 8D4C24 0C
lea ecx,
dword ptr ss:[
esp+C]
004094E4 EB 58
jmp short MultiDes.0040953E
004094E6 68 40844300
push MultiDes.00438440
; 程序自定义用户名为“AA”来计算,ASCII "AA"
004094EB 8D4C24 2C
lea ecx,
dword ptr ss:[
esp+2C]
004094EF E8 81580100
call MultiDes.0041ED75
004094F4 8D4C24 08
lea ecx,
dword ptr ss:[
esp+8]
004094F8 6A 02
push 2
004094FA 51
push ecx
004094FB 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
; 取自定义用户名,ASCII "AA"
004094FF E8 EEEA0000
call MultiDes.00417FF2
; 取固定字符串
00409504 68 44844300
push MultiDes.00438444
; ASCII "wfeewwf3deda"
00409509 8D5424 10
lea edx,
dword ptr ss:[
esp+10]
0040950D 50
push eax
0040950E 52
push edx
0040950F C64424 28 04
mov byte ptr ss:[
esp+28],4
00409514 E8 15570100
call MultiDes.0041EC2E
00409519 50
push eax
0040951A 8D4C24 2C
lea ecx,
dword ptr ss:[
esp+2C]
0040951E C64424 20 05
mov byte ptr ss:[
esp+20],5
00409523 E8 AA550100
call MultiDes.0041EAD2
00409528 8D4C24 0C
lea ecx,
dword ptr ss:[
esp+C]
0040952C C64424 1C 04
mov byte ptr ss:[
esp+1C],4
00409531 E8 AF540100
call MultiDes.0041E9E5
00409536 885C24 1C
mov byte ptr ss:[
esp+1C],
bl
0040953A 8D4C24 08
lea ecx,
dword ptr ss:[
esp+8]
0040953E E8 A2540100
call MultiDes.0041E9E5
00409543 8B7424 24
mov esi,
dword ptr ss:[
esp+24]
00409547 8D4424 28
lea eax,
dword ptr ss:[
esp+28]
0040954B 50
push eax
0040954C 8BCE
mov ecx,
esi
0040954E E8 07520100
call MultiDes.0041E75A
00409553 895C24 10
mov dword ptr ss:[
esp+10],
ebx
00409557 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
0040955B C64424 1C 00
mov byte ptr ss:[
esp+1C],0
00409560 E8 80540100
call MultiDes.0041E9E5
00409565 8B4C24 14
mov ecx,
dword ptr ss:[
esp+14]
00409569 8BC6
mov eax,
esi
0040956B 5E
pop esi
0040956C 5B
pop ebx
0040956D 64:890D 0000000>
mov dword ptr fs:[0],
ecx
00409574 83C4 18
add esp,18
00409577 C2 0800
retn 8
........
=========================
跟进 00409F72 E8 59C9FFFF call MultiDes.004068D0 =========================
004068D0 6A FF
push -1
; 跟进来到这里
004068D2 68 F8B54200
push MultiDes.0042B5F8
004068D7 64:A1 00000000
mov eax,
dword ptr fs:[0]
; 取出计算名,ASCII "KUwfeewwf3deda"
004068DD 50
push eax
004068DE 64:8925 0000000>
mov dword ptr fs:[0],
esp
004068E5 83EC 60
sub esp,60
004068E8 56
push esi
004068E9 8B7424 7C
mov esi,
dword ptr ss:[
esp+7C]
; 得到计算名位数
004068ED 57
push edi
004068EE 8B7C24 7C
mov edi,
dword ptr ss:[
esp+7C]
; 得到计算名
004068F2 6A 00
push 0
004068F4 56
push esi ; esi=0000000E(14位)
004068F5 57
push edi ; edi=009138D0, (ASCII "KUwfeewwf3deda")
004068F6 C74424 14 00000>
mov dword ptr ss:[
esp+14],0
004068FE E8 9E1B0100
call MultiDes.004184A1
00406903 8D4C24 0C
lea ecx,
dword ptr ss:[
esp+C]
00406907 E8 A40A0000
call MultiDes.004073B0
; ★调用MD5标准算法常数★F7跟进
0040690C 56
push esi
0040690D 57
push edi
0040690E 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00406912 C74424 78 00000>
mov dword ptr ss:[
esp+78],0
0040691A E8 810C0000
call MultiDes.004075A0
; ★调用MD5标准算法机制★F7跟进
0040691F 8B7424 78
mov esi,
dword ptr ss:[
esp+78]
00406923 8D4C24 0C
lea ecx,
dword ptr ss:[
esp+C]
00406927 56
push esi
00406928 E8 130B0000
call MultiDes.00407440
; ★使用MD5标准算法,转换计算名★
0040692D 8B4C24 68
mov ecx,
dword ptr ss:[
esp+68]
00406931 8BC6
mov eax,
esi
00406933 5F
pop edi
00406934 5E
pop esi
00406935 64:890D 0000000>
mov dword ptr fs:[0],
ecx
0040693C 83C4 6C
add esp,6C
0040693F C3
retn
........
=========================
跟进 00406907 E8 A40A0000 call MultiDes.004073B0 =========================
004073B0 8BD1
mov edx,
ecx ; 下面是MD5算法的标准常数
004073B2 57
push edi
004073B3 B9 10000000
mov ecx,10
004073B8 33C0
xor eax,
eax
004073BA 8D7A 04
lea edi,
dword ptr ds:[
edx+4]
004073BD C702 78DE4200
mov dword ptr ds:[
edx],MultiDes.0042DE78
004073C3 F3:AB
rep stos dword ptr es:[
edi]
004073C5 8942 48
mov dword ptr ds:[
edx+48],
eax
004073C8 8942 44
mov dword ptr ds:[
edx+44],
eax
004073CB C742 4C 0123456>
mov dword ptr ds:[
edx+4C],67452301
004073D2 C742 50 89ABCDE>
mov dword ptr ds:[
edx+50],EFCDAB89
004073D9 C742 54 FEDCBA9>
mov dword ptr ds:[
edx+54],98BADCFE
004073E0 C742 58 7654321>
mov dword ptr ds:[
edx+58],10325476
004073E7 8BC2
mov eax,
edx
004073E9 5F
pop edi
004073EA C3
retn
........
=========================
跟进 0040691A E8 810C0000 call MultiDes.004075A0 =========================
004075A0 53
push ebx ; 以下是MD5算法的标准变换运算机制
004075A1 8BD9
mov ebx,
ecx
004075A3 8B4C24 0C
mov ecx,
dword ptr ss:[
esp+C]
004075A7 55
push ebp
004075A8 8B53 44
mov edx,
dword ptr ds:[
ebx+44]
004075AB 56
push esi
004075AC 8BC2
mov eax,
edx
004075AE 8D34CD 00000000
lea esi,
dword ptr ds:[
ecx*8]
004075B5 C1E8 03
shr eax,3
004075B8 8D14CA
lea edx,
dword ptr ds:[
edx+
ecx*8]
004075BB 83E0 3F
and eax,3F
004075BE 3BD6
cmp edx,
esi
004075C0 57
push edi
004075C1 8953 44
mov dword ptr ds:[
ebx+44],
edx
004075C4 73 03
jnb short MultiDes.004075C9
004075C6 FF43 48
inc dword ptr ds:[
ebx+48]
004075C9 8B7B 48
mov edi,
dword ptr ds:[
ebx+48]
004075CC 8BD1
mov edx,
ecx
004075CE BD 40000000
mov ebp,40
004075D3 C1EA 1D
shr edx,1D
004075D6 2BE8
sub ebp,
eax
004075D8 03FA
add edi,
edx
004075DA 3BCD
cmp ecx,
ebp
004075DC 897B 48
mov dword ptr ds:[
ebx+48],
edi
004075DF 72 52
jb short MultiDes.00407633
004075E1 8B7424 14
mov esi,
dword ptr ss:[
esp+14]
004075E5 8BCD
mov ecx,
ebp
004075E7 8D7C18 04
lea edi,
dword ptr ds:[
eax+
ebx+4]
004075EB 8BC1
mov eax,
ecx
004075ED C1E9 02
shr ecx,2
004075F0 F3:A5
rep movs dword ptr es:[
edi],
dword ptr ds:[
esi]
004075F2 8BC8
mov ecx,
eax
004075F4 83E1 03
and ecx,3
004075F7 F3:A4
rep movs byte ptr es:[
edi],
byte ptr ds:[
esi]
004075F9 8D4B 04
lea ecx,
dword ptr ds:[
ebx+4]
004075FC 51
push ecx
004075FD 8BCB
mov ecx,
ebx
004075FF E8 8CF3FFFF
call MultiDes.00406990
00407604 8BFD
mov edi,
ebp
00407606 8D75 3F
lea esi,
dword ptr ss:[
ebp+3F]
00407609 8B6C24 18
mov ebp,
dword ptr ss:[
esp+18]
0040760D 3BF5
cmp esi,
ebp
0040760F 73 1A
jnb short MultiDes.0040762B
00407611 8B5424 14
mov edx,
dword ptr ss:[
esp+14]
00407615 8BCB
mov ecx,
ebx
00407617 8D4432 C1
lea eax,
dword ptr ds:[
edx+
esi-3F]
0040761B 50
push eax
0040761C E8 6FF3FFFF
call MultiDes.00406990
00407621 83C6 40
add esi,40
00407624 83C7 40
add edi,40
00407627 3BF5
cmp esi,
ebp
00407629 ^ 72 E6
jb short MultiDes.00407611
0040762B 8B4C24 18
mov ecx,
dword ptr ss:[
esp+18]
0040762F 33C0
xor eax,
eax
00407631 EB 02
jmp short MultiDes.00407635
00407633 33FF
xor edi,
edi
00407635 8B5424 14
mov edx,
dword ptr ss:[
esp+14]
00407639 2BCF
sub ecx,
edi
0040763B 8D3417
lea esi,
dword ptr ds:[
edi+
edx]
0040763E 8D7C18 04
lea edi,
dword ptr ds:[
eax+
ebx+4]
00407642 8BC1
mov eax,
ecx
00407644 C1E9 02
shr ecx,2
00407647 F3:A5
rep movs dword ptr es:[
edi],
dword ptr ds:[
esi]
00407649 8BC8
mov ecx,
eax
0040764B 83E1 03
and ecx,3
0040764E F3:A4
rep movs byte ptr es:[
edi],
byte ptr ds:[
esi]
00407650 5F
pop edi
00407651 5E
pop esi
00407652 5D
pop ebp
00407653 5B
pop ebx
00407654 C2 0800
retn 8
........
-------------------------------------------------------------------------------------------------------------------------
【算法总结】:
注册验证非常简单:
1
、注册码固定为16位。
2
、用户名位数小于或等于2位,则调用程序固定用户名“AA”来作为用户名。
3
、把用户名所有字符由小写转为大写,结果记为N1。
4
、N1前两位与固定字符串“wfeewwf3deda”连接组合成计算名,结果记为N2。
5
、将N2进行标准MD5运算转换,结果记为KEY1。
6
、取KEY1前16位转换为小写输出,则为注册码,结果记为KEY2。
【完美爆破点】:
00409FD4 75 53
jnz short MultiDes.0040A029
; nop掉!
-------------------------------------------------------------------------------------------------------------------------
【注册机】:
注册机我就不写了,很简单的。。。
【注册信息】:
Registered name
:KuNgBiM
Registered code
:687f-cda7-1400-9cf4
--------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]--------------------------------------------------------------------------------------------
Cracked By KuNgBiM[DFCG]
2005-10-29
01:46:00 AM
[课程]Linux pwn 探索篇!